Requesting Entitlements, Still Broken
What the hell, Apple? You won’t give me and other security researchers the EndpointSecurity entitlement, but you give f***ing MacKeeper the entitlement?!?! What in the hell is wrong with you? 🤬🤬🤬
The macOS entitlements granting process is a disaster. No feedback, frequent mistakes in what’s granted, nonsense requests (can’t link to app if can’t release app w/o entitlement), extremely slow (4-6 weeks turnaround in idea case), & some developers clearly favoured over others.
[…]
So then you have to apply again and ask for the distribution entitlement in the free-form text field, and wait another 4-6 weeks. Chances are you’ll also want user space apps & tools to access your driver. You have to apply for that specially via free-form request too, etc.
Obviously by now I’m basically an expert at asking for DriverKit entitlements, but it’s ridiculous that “filling out a form on Apple’s developer website” is a consulting service I should even need to offer.
[…]
Apply for the entitlements you will need and wait to receive them before you start coding. Seriously, if you aren’t granted them, your only recourse is to expect your users to turn off SIP. In other words, you will have wasted your efforts if the oracle denies your request.
[…]
If you get any kind of notification of success (or entitlements just silently turn up in your account), make sure everything is there for all deployment scenarios you care about. Individual entitlements are granted independently for development, app store, and developer ID.
In theory, entitlement-based security/privacy restrictions are a win because the apps that should have them will easily get them and the bad apps won’t. Users won’t have to evaluate what each app should be allowed to do. But the reality, for many years, is that legitimate apps are not granted the entitlements, and often don’t even get a formal rejection—just silence. We’re losing and limiting good apps either because Apple’s process is broken or because it’s playing politics.
Previously:
- Potential
- Seeking Special App Store Deals
- Clario’s MacKeeper
- Apple vs. Security Researchers
- BlockBlock 1.0
- Requesting Entitlements
- Folder Access and Inconsistent App Review
- BBEdit 12.6 to Return to the Mac App Store
Update (2020-11-25): Stephen Flower:
Yep, took me a month to get entitlements granted and another month to get them fixed!
I have been waiting since mid-July for an entitlement request.
Update (2021-01-12): Csaba Fitzl:
10 months passed since I requested the EndpointSecurity entitlement from Apple. Although it has been approved 3 months ago, my profile is still not setup properly, and I can’t use it.
I wanted to release a free security tool which protects against typical injection attacks on macOS, and open source it.
[…]
I have no intention to maintain this app even for myself, as not getting the entitlement completely demotivated me from further developing this app.
Update (2021-03-24): Howard Oakley:
Even if you’re a developer and prepared to write your own code, making a snapshot is impossible without Apple’s explicit approval: the function call
fs_snapshot_create()not only requires superuser privileges, but for it to work, your app has to have a special entitlement granted by Apple. Apple apparently only approves applications for use in carefully-managed backup environments.
2 Comments RSS · Twitter
"but you give f***ing MacKeeper the entitlement?!?! What in the hell is wrong with you?"
This article explains what happened to MacKeeper:
https://eclecticlight.co/2020/05/07/mackeeper-4-3-is-notarized/
I requested three additional USB Vendor ID / Product ID pairs for my DriverKit extension in July, did get a request for additional info in September (information provided) and have not heard anything since then.